On 29 August 2022, the Information Regulator announced that it has issued summons against the South African Police Service, concerning a leak of personal information of several victims/survivors who were raped in Krugerdorp in July 2022. The Information Regulator, as South Africa’s data protection authority, is mandated to monitor and enforce compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).
It is alleged that SAPS members shared the women’s’ names, ages, addresses, and details surrounding their assaults, over WhatsApp.
According to the media statement, the Regulator tried to engage with the SAPS before instituting legal proceedings by issuing an information notice in terms of section 90 of POPIA. The Regulator has described SAPS’ response to the notice as inadequate.
Section 90 empowers the Regulator to serve a responsible party with an information notice, which requires the party to furnish the Regulator with specific information related to the processing of personal information, which must be shared within specific timeframes. The purpose of a section 90 notice is to determine whether a responsible party has interfered with the personal information of a data subject.
In its statement, the Regulator’s chairperson, Adv Pansy Tlakula, is quoted as saying: “We do not take kindly to the non-responsiveness or inadequate responses to issued Information Notices by responsible parties, because this interferes with the Regulator’s ability to conduct investigations into reported matters or those initiated by us.”
- The Information Regulator’s media statement can be accessed here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].